b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n  International Trade Administration\n\n\n           FY 2007 FISMA Assessment of\n                   Core Network General\n               Support System (ITA-012)\n  Final Inspection Report No. OSE-18840/September 2007\n\n\n\n\n                      PUBLIC RELEASE\n\n\n\n                               Office of Systems Evaluation\n\x0c\x0c                                  OIG FY 2007 FISMA Assessment\n\n\n\n\n Listing of Abbreviated Terms & Acronyms\n   C&A                                            Certification and accreditation\n   IT                                             Information technology\n   ISA                                            Internet Security Acceleration\n   OMB                                            Office of Management and Budget\n   FISMA                                          Federal Information Security\n                                                  Management Act of 2002\n   PIX                                            Private Internet Exchange\n   RADIUS                                         Remote Authentication Dial-in User\n                                                  Server\n   SSL                                            Secure Sockets Layer\n   VPN                                            Virtual Private Network\n\n\n\n\n Synopsis of Findings Both Positive and Requiring\n Management Attention\n      \xe2\x80\xa2   Effective assessment process provides a clear understanding of remaining\n          vulnerabilities and status of system security controls.\n      \xe2\x80\xa2   Components outside of the accreditation boundary that provide security controls for\n          the system were not evaluated.\n      \xe2\x80\xa2   System contingency plan and contingency testing are inadequate.\n\n Conclusions\n    \xe2\x80\xa2 Certification testing adequately assessed the required security controls.\n    \xe2\x80\xa2 Certification activities provided sufficient basis for authorizing official to make a\n       credible, risk-based decision to approve system operation.\n\n\n\nSummary of ITA\xe2\x80\x99s Response and OIG Comments\n\nITA concurred with all of our recommendations and identified actions it has taken or plans to take\nto address them. The actions described are responsive to our recommendations. ITA\xe2\x80\x99s written\nresponse is included in its entirety as appendix B of this report.\n\n\n\n\n                                              Page 1\n\x0c                                     OIG FY 2007 FISMA Assessment\n\n\n\n   Findings and Recommendations\n\n\n\n     1. Effective Assessment Process Provides A Clear Understanding of\n     Remaining Vulnerabilities and Status of System Security Controls.\n         \xe2\x80\xa2   The assessment of ITA security controls was based on well defined procedures and\n             expected results.\n\n         \xe2\x80\xa2   Clear assessment results were provided for each assessment procedure.\n                 o Clarity and credibility of results is greatly enhanced because results data was\n                     provided for controls that were assessed by examination or manual testing.\n                 o Identification of the individual interviewed and summary of their response\n                     demonstrated that assessments based on interview involved the correct\n                     system owner staff and asked relevant and appropriate questions.\n\n         \xe2\x80\xa2   By clearly defining assessment procedures and expected results, and thoroughly\n             documenting assessment results the certification agent could accurately determine\n             which security controls are implemented correctly, recommend specific corrective\n             actions, and clearly present to the authorizing official the risks associated with the\n             remaining vulnerabilities.\n\n         \xe2\x80\xa2   Well documented test results assist in effective vulnerability mitigation because the\n             system owner has a clear record of specific system vulnerabilities.\n\n\n\nITA had no comments on this finding.\n\n\n\n\n                                                 Page 2\n\x0c                                     OIG FY 2007 FISMA Assessment\n\n\n 2. Components Outside of The Accreditation Boundary that Provide Security\n Controls For the System Were Not Evaluated.\n     \xe2\x80\xa2   The system security plan and the security test and evaluation report describe the following\n         security controls and components that are outside the accreditation boundary:\n            o AC-2 (Account Management): RADIUS is the centralized mechanism for managing\n                  system administrator accounts for the edge router and PIX firewall.\n            o AC-13 (Supervision and Review): The external switch is protected by other boundary\n                  devices at a higher level in the network general support system.\n            o AC-20 (Personally Owned Information Systems): Authorized users access the ITA\n                  network remotely via a Juniper SSL VPN appliance and system administrators\n                  access the ITA network via a Microsoft ISA server.\n\n     \xe2\x80\xa2   During a follow-up meeting, ITA explained that the components are part of the ITA Network\n         Security general support system, which was currently undergoing C&A and had not been\n         tested at the time the ITA Core Network was undergoing C&A.\n\n     \xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information\n         Systems, defines the application of security controls from one system to another as common\n         controls. The results from the assessment of common controls can be used to support the\n         security C&A processes of the system where that control has been applied. However,\n         because the devices providing these security controls had not been assessed, there are no\n         assessment results to support the use of that control in the ITA Core Network.\n\n\n\n Recommendation\n\n ITA should ensure that all components that implement security controls for a system are assessed\n prior to or during certification and accreditation.\n\n\nITA\xe2\x80\x99s Response\n\nITA concurred with this recommendation and stated that it will ensure that any components that are\nnot a part of an information system\xe2\x80\x99s accreditation boundary are assessed prior to completing the\ncertification and accreditation for that system. ITA also stated that controls AC-2 (Account\nManagement) and AC-20 (Personally Owned Information Systems) have been implemented and\ntested for all of its information systems.\n\nOIG Comment\n\nITA\xe2\x80\x99s corrective actions are responsive to our recommendation.\n\n\n\n\n                                                 Page 3\n\x0c                                      OIG FY 2007 FISMA Assessment\n\n\n\n\n 3. System Contingency Plan and Contingency Testing are Inadequate\n      \xe2\x80\xa2   An annual test of the contingency plan was not conducted.\n              o Certification test results indicate that the last test of the system contingency plan was\n                 conducted in June 2006 and note that the contingency test results can not be found.\n              o The certification test results also indicate that the contingency plan was not used as\n                 the basis to assess system contingency readiness. Instead, the assessment was\n                 conducted using Federal Emergency Management Agency defined tests and\n                 exercise scenarios.\n\n      \xe2\x80\xa2   The contingency plan does not address the procedures and activities required to restore\n          operations after a disruption or failure as required by Department policy and NIST SP 800-53.\n             o The contingency plan was created in January 2007 and addresses ITA\xe2\x80\x99s Enterprise\n                  Network system, which includes the Core Network system.\n             o System recovery procedures are referenced, but not included in the plan. ITA\n                  subsequently provided the OIG a document titled Network Shutdown Procedures and\n                  Network Restore Procedures. However, the document only addressed procedures for\n                  network shutdown and restart but does not provide other important procedures to\n                  restore operations after a disruption or failure.\n             o The contingency plan also fails to specify the emergency scenarios that require\n                  annual testing.\n\n Recommendations\n\n ITA should ensure that:\n\n          1. Procedures and activities to restore operations after a failure or disruption are\n             incorporated into the system contingency plan in accordance with Department policy.\n\n          2. ITA conducts annual contingency plan testing in accordance with Department policy and\n             that contingency test documentation contains detailed information regarding the scope,\n             test procedures, test scenarios, and a summary of the results.\n\n\n\n\nITA\xe2\x80\x99s Response\n\nITA concurred with these recommendations and stated that it is developing procedures to restore\noperations after a failure or disruption of its systems and that changes to operations are being\ninstituted to ensure that network operations can be restored after a failure or disruption. ITA noted\nthat the test of its Enterprise Network Contingency Plan will be completed by the end of calendar year\n2007 and will include detailed agency-defined test scenarios and a summary of all test results.\n\nOIG Comment\n\nITA\xe2\x80\x99s corrective actions are responsive to our recommendation.\n\n\n\n\n                                                  Page 4\n\x0c                                  OIG FY 2007 FISMA Assessment\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2007 FISMA reporting requirements, we evaluated ITA\xe2\x80\x99s certification and accreditation\nfor the core network general support system (ITA-012).\nSecurity certification and accreditation packages contain three elements, which form the basis of an\nauthorizing official\xe2\x80\x99s decision to accredit a system.\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security controls, and\n        the details of how the requirements are being met. As such, the security plan provides a basis\n        for assessing security controls. Per Department policy, the security plan also includes other\n        documents such as the system risk assessment and contingency plan.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment and\n        recommendations for correcting control deficiencies or mitigating identified vulnerabilities. This\n        report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action & milestones is based on the results of the security assessment. It\n        documents actions taken or planned to address remaining vulnerabilities in the system.\n\nCommerce\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards requires that C&A\npackages contain a certification documentation package of supporting evidence of the adequacy of the\nsecurity assessment. Two important components of this documentation are:\n\n    \xe2\x80\xa2   The certification test plan, which documents the scope and procedures for testing (assessing)\n        the system\xe2\x80\x99s ability to meet control requirements.\n    \xe2\x80\xa2   The certification test results, which is the raw data collected during the assessment.\n\nTo evaluate the C&A package, we reviewed all components of the package and interviewed ITA staff to\nclarify any apparent omissions or discrepancies in the documentation and gain further insight on the\nextent of the security assessment. We give substantial weight to the evidence that supports the rigor of\nthe security assessment when reporting our findings to OMB.\n\nWe used the following review criteria:\n   \xe2\x80\xa2 Federal Information Security Management Act of 2002 (FISMA)\n   \xe2\x80\xa2 U.S. Department of Commerce, IT Security Program Policy and Minimum Implementation\n      Standards\n   \xe2\x80\xa2 NIST\xe2\x80\x99s Federal Information Processing Standards (FIPS)\n           o Publication 199, Standards for Security Categorization of Federal Information and\n                Information Systems\n           o Publication 200, Minimum Security Requirements for Federal Information and\n                Information Systems\n   \xe2\x80\xa2 NIST Special Publications:\n           o 800-18, Guide for Developing Security Plans for Information Technology Systems\n           o 800-37, Guide for the Security Certification and Accreditation of Federal Information\n                Systems\n           o 800-42, Guideline on Network Security Testing\n           o 800-53, Recommended Security Controls for Federal Information Systems\n           o 800-70, Security Configuration Checklists Program for IT Products\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as amended, and\nthe Quality Standards for Inspections issued by the President\xe2\x80\x99s Council on Integrity and Efficiency in\nJanuary 2005.\n\n\n\n\n                                               Page 5\n\x0c\x0c'